package org.keycloak.adapters.as7;

import java.io.IOException;
import java.util.Iterator;
import java.util.Set;
import javax.management.ObjectName;
import javax.servlet.ServletException;
import org.apache.catalina.Container;
import org.apache.catalina.Session;
import org.apache.catalina.Valve;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.valves.ValveBase;
import org.jboss.logging.Logger;
import org.keycloak.SkeletonKeySession;
import org.keycloak.representations.adapters.config.AdapterConfig;

/* loaded from: input_file:org/keycloak/adapters/as7/AuthenticatedActionsValve.class */
public class AuthenticatedActionsValve extends ValveBase {
    private static final Logger log = Logger.getLogger(AuthenticatedActionsValve.class);
    protected AdapterConfig config;

    public AuthenticatedActionsValve(AdapterConfig adapterConfig, Valve valve, Container container, ObjectName objectName) {
        this.config = adapterConfig;
        if (valve == null) {
            throw new RuntimeException("WTF is next null?!");
        }
        setNext(valve);
        setContainer(container);
        setController(objectName);
    }

    public void invoke(Request request, Response response) throws IOException, ServletException {
        log.debugv("AuthenticatedActionsValve.invoke {0}", request.getRequestURI());
        SkeletonKeySession skeletonKeySession = getSkeletonKeySession(request);
        if (corsRequest(request, response, skeletonKeySession)) {
            return;
        }
        if (request.getRequestURI().endsWith("k_query_bearer_token")) {
            queryBearerToken(request, response, skeletonKeySession);
        } else {
            getNext().invoke(request, response);
        }
    }

    public SkeletonKeySession getSkeletonKeySession(Request request) {
        SkeletonKeySession skeletonKeySession = (SkeletonKeySession) request.getAttribute(SkeletonKeySession.class.getName());
        if (skeletonKeySession != null) {
            return skeletonKeySession;
        }
        Session sessionInternal = request.getSessionInternal();
        if (sessionInternal != null) {
            return (SkeletonKeySession) sessionInternal.getNote(SkeletonKeySession.class.getName());
        }
        return null;
    }

    protected void queryBearerToken(Request request, Response response, SkeletonKeySession skeletonKeySession) throws IOException, ServletException {
        log.debugv("queryBearerToken {0}", request.getRequestURI());
        if (abortTokenResponse(request, response, skeletonKeySession)) {
            return;
        }
        response.setStatus(200);
        response.setContentType("text/plain");
        response.getOutputStream().write(skeletonKeySession.getTokenString().getBytes());
        response.getOutputStream().flush();
    }

    protected boolean abortTokenResponse(Request request, Response response, SkeletonKeySession skeletonKeySession) throws IOException {
        if (skeletonKeySession == null) {
            log.debugv("session was null, sending back 401: {0}", request.getRequestURI());
            response.sendError(401);
            return true;
        }
        if (!this.config.isExposeToken()) {
            response.setStatus(200);
            return true;
        }
        if (this.config.isCors() || request.getHeader("Origin") == null) {
            return false;
        }
        response.setStatus(200);
        return true;
    }

    protected boolean corsRequest(Request request, Response response, SkeletonKeySession skeletonKeySession) throws IOException {
        if (!this.config.isCors()) {
            return false;
        }
        log.debugv("CORS enabled + request.getRequestURI()", new Object[0]);
        String header = request.getHeader("Origin");
        log.debugv("Origin: {0} uri: {1}", header, request.getRequestURI());
        if (skeletonKeySession == null || header == null) {
            log.debugv("session or origin was null: {0}", request.getRequestURI());
            return false;
        }
        Set allowedOrigins = skeletonKeySession.getToken().getAllowedOrigins();
        if (log.isDebugEnabled()) {
            Iterator it = allowedOrigins.iterator();
            while (it.hasNext()) {
                log.debug("   " + ((String) it.next()));
            }
        }
        if (allowedOrigins != null && (allowedOrigins.contains("*") || allowedOrigins.contains(header))) {
            log.debugv("returning origin: {0}", header);
            response.setHeader("Access-Control-Allow-Origin", header);
            response.setHeader("Access-Control-Allow-Credentials", "true");
            return false;
        }
        if (allowedOrigins == null) {
            log.debugv("allowedOrigins was null in token", new Object[0]);
        }
        if (!allowedOrigins.contains("*") && !allowedOrigins.contains(header)) {
            log.debugv("allowedOrigins did not contain origin", new Object[0]);
        }
        response.sendError(403);
        return true;
    }
}
